Changes to customer due diligence

A reporting entity would be required to undertake initial CDD before providing a designated service to a customer (subject to limited exceptions detailed below).

If the Bill is passed, the amended Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) would require reporting entities to conduct initial CDD to:

• collect and verify information about the identity of a customer
• understand the potential risks involved in providing designated services to that customer.

A reporting entity would be required to verify their customer’s identity and other relevant information using reliable and independent data. Collectively, this information would still be referred to as ‘Know Your Customer’ (KYC) information. 

The Bill would replace the existing ‘applicable customer identification procedures’ (ACIP) in the current AML/CTF Act with the term ‘initial CDD’. The term ‘initial CDD’ more accurately reflects the purpose of the obligation and its operation under the CDD framework. It would shift the focus from prescriptive procedures to the outcome of knowing the customer and understanding the associated money laundering, terrorism financing, or proliferation financing risk associated with providing a designated service to them.

The Bill would clarify that before providing a designated service, a reporting entity must establish the following matters on reasonable grounds:

• the identity of its customer
• the identity of any person on whose behalf the customer is receiving the designated service
• the identity of any person acting on behalf of the customer and their authority to act
• the nature and purpose of the business relationship or occasional transaction
• the identity of the beneficial owners of its customer
• whether the customer or beneficial owner is a politically exposed person, or designated for targeted financial sanctions under an Australian sanction law
• the nature and purpose of the business relationship or occasional transaction
• any other matters specified in the AML/CTF Rules.

In order to establish these matters on reasonable grounds, a reporting entity must:

• in the case of customers who are individuals, take reasonable steps to establish that the customer is who they claim to be
• identify the money laundering, terrorism financing, or proliferation financing risk of the customer, based on KYC information that is reasonably available before providing the designated service
• collect KYC information about the customer that is appropriate to the money laundering, terrorism financing, or proliferation financing risk
• verify the KYC information using reliable and independent data, as is appropriate to the money laundering, terrorism financing, or proliferation financing risk of the customer.

Reporting entities who provide designated services in Australia would be required to take the following matters into account when identifying the money laundering, terrorism financing, or proliferation financing risk of the customer: 

• the reporting entity’s ML/TF risk assessment (further information on the ML/TF risk assessment is available at Changes to AML/CTF program requirements
• the kind of customer to whom the designated service will be provided
• the kind of designated services provided, or proposed to be provided
• the delivery channels for the customer to receive the designated services
• the countries the reporting entity deals with, or will deal with, in providing the designated services to the customer
• any matters specified in the AML/CTF Rules.

Reporting entities would retain flexibility in determining how to meet initial CDD obligations in practice, based on risk.

Timing for initial CDD

The Bill provides that in limited circumstances, to be specified in the AML/CTF Rules, initial CDD, or aspects of initial CDD, may be completed as soon as reasonably practicable after beginning to provide a designated service. This exception would only be available where:

• it is essential to avoid interrupting the ordinary course of business
• the reporting entity has policies in place to support them to undertake initial CDD as soon as reasonably practicable, and within any period specified in the AML/CTF Rules
• additional risk associated with delayed verification is low, based on reasonable grounds
• the reporting entity implements AML/CTF policies to mitigate and manage any associated risks of delaying initial CDD
• the reporting entity complies with any requirements specified in the AML/CTF Rules.

Digital identity providers and initial CDD

The AML/CTF regime is technology neutral and provides flexibility to reporting entities about how they fulfil their CDD obligations, commensurate to customer risk. Reporting entities may be able to use third party digital identity service providers as long as they are satisfied that:

• the initial CDD undertaken is appropriate to the money laundering, terrorism financing and proliferation financing risk of the customer
• the verification is based on independent and reliable data.

The reporting entity would still be liable for ensuring they meet their initial CDD obligations in these circumstances, including in relation to record keeping requirements under the AML/CTF Act.

Ongoing CDD obligations require reporting entities to monitor the provision of designated services to their customers on an ongoing basis to manage the risks of money laundering, terrorism financing and proliferation financing. 
A reporting entity would be required to apply ongoing CDD measures proportionate to risk, both:

• throughout the course of a business relationship
• in relation to designated services provided as occasional transactions.

Reporting entities providing designated services in Australia would be required to:

• monitor transactions and behaviours that are unusual, or to identify those that may give rise to suspicious matter reporting obligations under section 41 of the AML/CTF Act
• in the course of a business relationship, review and update the identification and assessment of the money laundering, terrorism financing, or proliferation financing risk of the customer, where appropriate
• in the course of a business relationship, review, update and re-verify KYC information about the customer, where appropriate
• in the course of a business relationship with a pre-commencement customer, monitor for significant changes in the nature and purpose of the business relationship that may result in the money laundering, terrorism financing, or proliferation financing risk of the customer being medium or high
• comply with any requirement in the AML/CTF Rules.

Unusual transactions or behaviour would include any suspicious activities, unusual transactions and material changes in a customer’s behaviour. 

Reporting entities would be able to design their monitoring processes based on risk and around the frequency of transactions occurring within their business.

Simplified CDD is a concept under the current regime. Simplified CDD refers to simpler or less intensive measures that reporting entities may apply to low risk business relationships and occasional transactions, provided they still meet the obligations imposed by the AML/CTF Act. 

The Bill clarifies that appropriate simplified CDD measures may be used during initial CDD and ongoing CDD.

This is when both:

• the money laundering, terrorism financing, or proliferation financing risk of the customer is low
• none of the triggers for enhanced CDD apply.

AUSTRAC will produce guidance to support reporting entities to identify when the risk of a customer is objectively low. 

Reporting entities would have discretion to determine when simplified CDD measures should be used, appropriate to the risk, and the extent to which their initial and/or ongoing CDD measures should be simplified. 

For example, simplified CDD could include:

• reduced evidence requirements for identity verification
• not seeking information on the nature and purpose of the business relationship where this can be inferred from the designated service and other information collected
• less frequently re-verifying KYC information, or implementing different thresholds for transaction monitoring alerts.

Enhanced CDD is a concept under the current regime. Enhanced CDD refers to additional measures that reporting entities are required to apply to higher risk business relationships and occasional transactions, and to some specified relationships. 

Under the Bill, enhanced CDD must be applied to both initial CDD and ongoing CDD proportionate to the risk where any of the following apply:

• the money laundering, terrorism financing, or proliferation financing risk associated with providing the designated service to the customer is high
• there is a suspicion of money laundering, terrorism financing, proliferation financing or identity fraud and the reporting entity proposes to continue the business relationship
• the customer, or its beneficial owner, or any person on whose behalf the customer is receiving the designated service, is a foreign politically exposed person
• the customer or its beneficial owner, or any person on whose behalf the customer is receiving the designated service, is physically present in, or is a legal entity formed in, a high-risk jurisdiction for which the FATF has called for enhanced due diligence to be applied
• the designated service that is provided or proposed to be provided is part of a nested services relationship
• the customer is of a kind specified in the AML/CTF Rules.

AUSTRAC will produce comprehensive guidance to support reporting entities to identify when the risk of a customer is objectively high.

Politically Exposed Persons

Politically exposed persons often hold positions that can be abused for money laundering or other offences such as corruption or bribery. Due to the heightened illicit financing risks associated with such customers, reporting entities must take reasonable measures to determine whether a customer or associated person is a political exposed person, as well as other factors outlined in the Bill.

Enhanced CDD must be applied to:

• all foreign politically exposed persons
• high-risk domestic politically exposed persons
• high-risk international organisation politically exposed persons
• family members and close associates of the above categories of politically exposed persons.

Reporting entities would also be required to take reasonable measures to establish the source of wealth and/or source of funds for such politically exposed persons and associated persons.

For current reporting entities, pre-commencement customers are those customers that a reporting entity began to provide a designated service to before the commencement of the AML/CTF Act in 2007.  

For newly regulated reporting entities under the Bill, pre-commencement customers would be those in a business relationship with the reporting entity when the CDD obligations commence on 1 July 2026. 

A customer who enters into a business relationship with a reporting entity on, or after, 1 July 2026 would not be a pre-commencement customer and would need to have full initial CDD obligations applied to them.

Reporting entities would not be required to comply with the initial CDD obligation for pre-commencement customers, or be required to review and update pre-commencement customers’ money laundering, terrorism financing or proliferation financing risk as part of ongoing CDD. 

However, for pre-commencement customers, reporting entities must:

• monitor for unusual transactions and behaviours of customers that may give rise to a suspicious matter reporting obligation
• review and, where appropriate, update KYC information about the customer
• monitor for significant changes in the nature and purpose of the business relationship that may result in the money laundering, terrorism financing, or proliferation financing risk of the customer being medium or high.

A reporting entity would be required to undertake initial CDD for a pre-commencement customer if either:

• a suspicious matter reporting obligation arises
• the money laundering, terrorism financing, or proliferation financing risk of the customer becomes medium or high.

Once a pre-commencement customer has undergone initial CDD, they would be transitioned to become an ordinary customer under the AML/CTF Act, and a reporting entity is required to apply ongoing CDD measures, as appropriate.

The Bill clarifies that reporting entities would be required to keep any records that are reasonably necessary to demonstrate compliance with their CDD obligations for a period of 7 years after either:

• the business relationship has ended
• the occasional transaction has been completed.

Reporting entities would be required to keep records demonstrating:

• the type and content of the data collected by the reporting entity
• records of any analysis, identification or assessment of illicit financing risk undertaken, for the purposes of CDD. 

Reporting entities would not be required to keep copies of identity documents that are used throughout CDD. Instead, they would be required to retain records of what they did to identify a customer and the identifying information the customer presented. For example, reporting entities are required to make records of the details found on a passport that was used for verification purposes, rather than being required to take a copy of the passport itself.